fix(deps): vuln minor upgrades — 9 packages (minor: 6 · patch: 3) [src/product-management-service]

[gh-worker-campaigns-3e9aa4]

Summary: Critical-severity security update — 15 packages upgraded (MINOR changes included)

Manifests changed:

• src/product-management-service (go)

---

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

---

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
github.com/jackc/pgx/v5	v5.6.0	v5.9.2	minor	Transitive	4 CRITICAL, 1 LOW
github.com/jackc/pgx/v5	v5.7.4	v5.9.2	minor	Direct	4 CRITICAL, 1 LOW
github.com/gofiber/fiber/v2	v2.52.5	v2.52.12	patch	Transitive	3 CRITICAL, 3 HIGH, 1 MODERATE, 2 MEDIUM
google.golang.org/grpc	v1.70.0	v1.80.0	minor	Transitive	3 CRITICAL
google.golang.org/grpc	v1.70.0	v1.80.0	minor	Transitive	3 CRITICAL
google.golang.org/grpc	v1.70.0	v1.80.0	minor	Transitive	3 CRITICAL
google.golang.org/grpc	v1.70.0	v1.80.0	minor	Transitive	3 CRITICAL
google.golang.org/grpc	v1.70.0	v1.80.0	minor	Transitive	3 CRITICAL
google.golang.org/grpc	v1.64.1	v1.80.0	minor	Transitive	3 CRITICAL
github.com/go-jose/go-jose/v3	v3.0.3	v3.0.5	patch	Transitive	1 HIGH, 1 MODERATE, 2 MEDIUM
github.com/aws/aws-sdk-go	v1.44.327	v1.55.8	minor	Transitive	2 MODERATE, 2 LOW
github.com/go-chi/chi/v5	v5.0.10	v5.2.5	minor	Transitive	2 MODERATE
github.com/go-chi/chi	v1.5.4	v1.5.5	patch	Transitive	2 MODERATE
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream	v1.4.13	v1.7.9	minor	Transitive	1 MODERATE
github.com/aws/aws-sdk-go-v2/service/s3	v1.32.0	v1.99.1	minor	Transitive	1 MODERATE

---

Security Details

🚨 Critical & High Severity (33 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
github.com/gofiber/fiber/v2	CVE-2025-66630	critical	Fiber insecurely fallsback in utils.UUIDv4() / utils.UUID() — predictable / zero‑UUID on crypto/rand failure	v2.52.5	-
github.com/gofiber/fiber/v2	GO-2026-4471	critical	Fiber has an insecure fallback in utils.UUIDv4() / utils.UUID() on crypto/rand failure in github.com/gofiber/fiber	v2.52.5	2.52.11
github.com/gofiber/fiber/v2	GHSA-68rr-p4fp-j59v	CRITICAL	Fiber has an insecure fallback in utils.UUIDv4() / utils.UUID() — predictable / zero‑UUID on crypto/rand failure	v2.52.5	2.52.11
github.com/jackc/pgx/v5	GHSA-9jj7-4m8r-rfcm	CRITICAL	Memory-safety vulnerability in github.com/jackc/pgx/v5.	v5.6.0	5.9.0
github.com/jackc/pgx/v5	GO-2026-4772	CRITICAL	CVE-2026-33816 in github.com/jackc/pgx	v5.6.0	5.9.0
github.com/jackc/pgx/v5	GO-2026-4771	CRITICAL	CVE-2026-33815 in github.com/jackc/pgx	v5.6.0	5.9.0
github.com/jackc/pgx/v5	GHSA-xgrm-4fwx-7qm8	CRITICAL	pgx contains memory-safety vulnerability	v5.6.0	-
github.com/jackc/pgx/v5	GO-2026-4772	CRITICAL	CVE-2026-33816 in github.com/jackc/pgx	v5.7.4	5.9.0
github.com/jackc/pgx/v5	GHSA-9jj7-4m8r-rfcm	CRITICAL	Memory-safety vulnerability in github.com/jackc/pgx/v5.	v5.7.4	5.9.0
github.com/jackc/pgx/v5	GO-2026-4771	CRITICAL	CVE-2026-33815 in github.com/jackc/pgx	v5.7.4	5.9.0
github.com/jackc/pgx/v5	GHSA-xgrm-4fwx-7qm8	CRITICAL	pgx contains memory-safety vulnerability	v5.7.4	-
google.golang.org/grpc	GHSA-p77j-4mvh-x3m3	CRITICAL	gRPC-Go has an authorization bypass via missing leading slash in :path	v1.70.0	1.79.3
google.golang.org/grpc	CVE-2026-33186	critical	gRPC-Go has an authorization bypass via missing leading slash in :path	v1.70.0	-
google.golang.org/grpc	GO-2026-4762	critical	Authorization bypass in gRPC-Go via missing leading slash in :path in google.golang.org/grpc	v1.70.0	1.79.3
google.golang.org/grpc	GO-2026-4762	critical	Authorization bypass in gRPC-Go via missing leading slash in :path in google.golang.org/grpc	v1.70.0	1.79.3
google.golang.org/grpc	CVE-2026-33186	critical	gRPC-Go has an authorization bypass via missing leading slash in :path	v1.70.0	-
google.golang.org/grpc	GHSA-p77j-4mvh-x3m3	CRITICAL	gRPC-Go has an authorization bypass via missing leading slash in :path	v1.70.0	1.79.3
google.golang.org/grpc	CVE-2026-33186	CRITICAL	gRPC-Go has an authorization bypass via missing leading slash in :path	v1.64.1	-
google.golang.org/grpc	GO-2026-4762	CRITICAL	Authorization bypass in gRPC-Go via missing leading slash in :path in google.golang.org/grpc	v1.64.1	1.79.3
google.golang.org/grpc	GHSA-p77j-4mvh-x3m3	CRITICAL	gRPC-Go has an authorization bypass via missing leading slash in :path	v1.64.1	1.79.3
google.golang.org/grpc	GHSA-p77j-4mvh-x3m3	CRITICAL	gRPC-Go has an authorization bypass via missing leading slash in :path	v1.70.0	1.79.3
google.golang.org/grpc	CVE-2026-33186	critical	gRPC-Go has an authorization bypass via missing leading slash in :path	v1.70.0	-
google.golang.org/grpc	GO-2026-4762	critical	Authorization bypass in gRPC-Go via missing leading slash in :path in google.golang.org/grpc	v1.70.0	1.79.3
google.golang.org/grpc	CVE-2026-33186	critical	gRPC-Go has an authorization bypass via missing leading slash in :path	v1.70.0	-
google.golang.org/grpc	GO-2026-4762	critical	Authorization bypass in gRPC-Go via missing leading slash in :path in google.golang.org/grpc	v1.70.0	1.79.3
google.golang.org/grpc	GHSA-p77j-4mvh-x3m3	CRITICAL	gRPC-Go has an authorization bypass via missing leading slash in :path	v1.70.0	1.79.3
google.golang.org/grpc	GHSA-p77j-4mvh-x3m3	CRITICAL	gRPC-Go has an authorization bypass via missing leading slash in :path	v1.70.0	1.79.3
google.golang.org/grpc	CVE-2026-33186	critical	gRPC-Go has an authorization bypass via missing leading slash in :path	v1.70.0	-
google.golang.org/grpc	GO-2026-4762	critical	Authorization bypass in gRPC-Go via missing leading slash in :path in google.golang.org/grpc	v1.70.0	1.79.3
github.com/go-jose/go-jose/v3	GHSA-78h2-9frx-2jm8	HIGH	Go JOSE Panics in JWE decryption	v3.0.3	3.0.5
github.com/gofiber/fiber/v2	GHSA-qx2q-88mx-vhg7	HIGH	Fiber Crashes in BodyParser Due to Unvalidated Large Slice Index in Decoder	v2.52.5	2.52.9
github.com/gofiber/fiber/v2	GO-2025-3845	HIGH	Fiber Crashes in BodyParser Due to Unvalidated Large Slice Index in Decoder in github.com/gofiber/fiber	v2.52.5	2.52.9
github.com/gofiber/fiber/v2	CVE-2025-54801	HIGH	Fiber Susceptible to Crash via BodyParser Due to Unvalidated Large Slice Index in Decoder	v2.52.5	-

ℹ️ Other Vulnerabilities (18)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
github.com/go-jose/go-jose/v3	CVE-2025-27144	medium	Go JOSE's Parsing Vulnerable to Denial of Service	v3.0.3	-
github.com/go-jose/go-jose/v3	GO-2025-3485	medium	DoS in go-jose Parsing in github.com/go-jose/go-jose	v3.0.3	3.0.4
github.com/gofiber/fiber/v2	CVE-2026-25882	medium	Fiber has a Denial of Service Vulnerability via Route Parameter Overflow	v2.52.5	-
github.com/gofiber/fiber/v2	GO-2026-4543	medium	Fiber has a Denial of Service Vulnerability via Route Parameter Overflow in github.com/gofiber/fiber	v2.52.5	2.52.12
github.com/aws/aws-sdk-go	GO-2022-0646	MODERATE	CBC padding oracle issue in AWS S3 Crypto SDK for golang in github.com/aws/aws-sdk-go	v1.44.327	-
github.com/aws/aws-sdk-go	GHSA-f5pg-7wfw-84q9	MODERATE	CBC padding oracle issue in AWS S3 Crypto SDK for golang	v1.44.327	1.34.0
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream	GHSA-xmrv-pmrh-hhx2	MODERATE	Denial of Service due to Panic in AWS SDK for Go v2 SDK EventStream Decoder	v1.4.13	1.7.8
github.com/aws/aws-sdk-go-v2/service/s3	GHSA-xmrv-pmrh-hhx2	MODERATE	Denial of Service due to Panic in AWS SDK for Go v2 SDK EventStream Decoder	v1.32.0	1.97.3
github.com/go-chi/chi	GO-2026-4316	MODERATE	Open redirect vulnerability in the RedirectSlashes middleware in github.com/go-chi/chi	v1.5.4	-
github.com/go-chi/chi	GHSA-mqqf-5wvp-8fh8	MODERATE	chi has an open redirect vulnerability in the RedirectSlashes middleware	v1.5.4	5.2.4
github.com/go-chi/chi/v5	GHSA-vrw8-fxc6-2r93	MODERATE	chi Allows Host Header Injection which Leads to Open Redirect in RedirectSlashes	v5.0.10	5.2.2
github.com/go-chi/chi/v5	GO-2025-3770	MODERATE	Host header injection which leads to open redirect in RedirectSlashes in github.com/go-chi/chi	v5.0.10	5.2.2
github.com/go-jose/go-jose/v3	GHSA-c6gw-w398-hv78	MODERATE	DoS in go-jose Parsing	v3.0.3	3.0.4
github.com/gofiber/fiber/v2	GHSA-mrq8-rjmw-wpq3	MODERATE	Fiber has a Denial of Service Vulnerability via Route Parameter Overflow	v2.52.5	2.52.12
github.com/aws/aws-sdk-go	GO-2022-0635	LOW	In-band key negotiation issue in AWS S3 Crypto SDK for golang in github.com/aws/aws-sdk-go	v1.44.327	-
github.com/aws/aws-sdk-go	GHSA-7f33-f4f5-xwgw	LOW	In-band key negotiation issue in AWS S3 Crypto SDK for golang	v1.44.327	1.34.0
github.com/jackc/pgx/v5	GHSA-j88v-2chj-qfwx	LOW	pgx: SQL Injection via placeholder confusion with dollar quoted string literals	v5.6.0	5.9.2
github.com/jackc/pgx/v5	GHSA-j88v-2chj-qfwx	LOW	pgx: SQL Injection via placeholder confusion with dollar quoted string literals	v5.7.4	5.9.2

⚠️ Dependencies that have Reached EOL (2)

Dependency	Unsafe Version	EOL Date	New Version	Path
github.com/aws/aws-sdk-go-v2/service/s3	v1.32.0	Apr 19, 2026	v1.99.1	src/product-management-service/src/core/go.mod
github.com/go-chi/chi	v1.5.4	-	v1.5.5	src/product-management-service/src/core/go.mod

---

Review Checklist

Standard review:

• Review changes for compatibility with your code
• Check for breaking changes in release notes
• Run tests locally or wait for CI
• Approve and merge this PR

---

Update Mode: Vulnerability Remediation (Critical/High)

🤖 Generated by DataDog Automated Dependency Management System

[campaigner-prod]

Release Notes

github.com/jackc/pgx/v5 (v5.6.0 → v5.9.2) — Changelog

Fix SQL Injection via placeholder confusion with dollar quoted string literals (GHSA-j88v-2chj-qfwx)

SQL injection can occur when:

1. The non-default simple protocol is used.
2. A dollar quoted string literal is used in the SQL query.
3. That query contains text that would be would be interpreted outside as a placeholder outside of a string literal.
4. The value of that placeholder is controllable by the attacker.

e.g.

attackValue := `$tag$; drop table canary; --`
_, err = tx.Exec(ctx, `select $tag$ $1 $tag$, $1`, pgx.QueryExecModeSimpleProtocol, attackValue)

This is unlikely to occur outside of a contrived scenario.

github.com/gofiber/fiber/v2 (v2.52.5 → v2.52.12) — GitHub Release

v2.52.12

🐛 Fixes

• CVE fix GHSA-mrq8-rjmw-wpq3

Full Changelog: gofiber/fiber@v2.52.11...v2.52.12

v2.52.11

What's Changed

🧹 Updates

• Improve mount functionality by @gaby in 🧹 chore: Improve mount functionality gofiber/fiber#3900

🐛 Bug Fixes

• Backport defensive copying fixes from Fix: Prevent memory corruption in internal memory storage from pooled buffers gofiber/fiber#3828 and 🐛 bug: fix copying of key/values in internal/memory gofiber/fiber#3829 to v2 by @sixcolors in 🐛 Backport defensive copying fixes from #3828 and #3829 to v2 gofiber/fiber#3888
• Fixes and improvements for limiter middleware by @gaby in 🐛 bug: Fixes and improvements for limiter middleware gofiber/fiber#3899

Full Changelog: gofiber/fiber@v2.52.10...v2.52.11

v2.52.10

🐛 Bug Fixes

• Handle invalid path in filesystem by @rokostik in 🐛 bug: Handle invalid path in filesystem gofiber/fiber#3688
• Fix recover middleware panic output formatting by @ReneWerner87 in Fix recover middleware panic output formatting gofiber/fiber#3818
• Fix enforcement of Immutable config for some edge cases by @gaby in 🐛 bug: Fix enforcement of Immutable config for some edge cases gofiber/fiber#3835

📚 Documentation

• Document RoutePatternMatch by @ReneWerner87 in docs: document RoutePatternMatch gofiber/fiber#3723

New Contributors

• @rokostik made their first contribution in 🐛 bug: Handle invalid path in filesystem gofiber/fiber#3688

Full Changelog: gofiber/fiber@v2.52.9...v2.52.10

v2.52.9

🐛 Bug Fixes

• Add upper index limit for parsers by @gaby in 🧹 chore: Add upper index limit for parsers gofiber/fiber#3503
• Embedded struct parsing by @ReneWerner87 in 🐛 fix: Embedded struct parsing gofiber/fiber#3478
• Fix Content-Type comparison in Is() by @gaby in 🐛 bug: Fix Content-Type comparison in Is() gofiber/fiber#3537
• Fix MIME type equality checks by @gaby in 🐛 bug: Fix MIME type equality checks gofiber/fiber#3603

Full Changelog: gofiber/fiber@v2.52.8...v2.52.9

v2.52.8

👮 Security

• Fix for BodyParser - GHSA-hg3g-gphw-5hhm

🧹 Updates

• Backport ctx.String() from v3 by @gaby in 🧹 chore: Backport ctx.String() from v3 gofiber/fiber#3294

🐛 Bug Fixes

• Fix routing with mount and static by @ReneWerner87 in 🐛 Fix routing with mount and static gofiber/fiber#3454

📚 Documentation

• Update usage of ctx.Redirect() by @andradei in 📒 docs: Update usage of ctx.Redirect() gofiber/fiber#3417
• Add AGENTS.md by @gaby in docs: Add AGENTS.md gofiber/fiber#3461

Full Changelog: gofiber/fiber@v2.52.6...v2.52.8

v2.52.6

🐛 Bug Fixes

• Use Content-Length for bytesReceived and bytesSent tags in Logger Middleware in v2 by @gaby in 🐛 bug: Use Content-Length for bytesReceived and bytesSent tags in Logger Middleware in v2 gofiber/fiber#3067
• Fix handle un-matched open brackets in the query params by @dojutsu-user in 🩹 Fix: handle un-matched open brackets in the query params gofiber/fiber#3121
• Middleware/CORS: Remove Scheme Restriction by @zingi in 🩹 fix: Middleware/CORS Remove Scheme Restriction gofiber/fiber#3168
• Respect Immutable config for Body() by @nickajacks1 in 🐛 fix: Respect Immutable config for Body() gofiber/fiber#3246
• Support Square Bracket Notation in Multipart Form data by @ReneWerner87 in Support Square Bracket Notation in Multipart Form data gofiber/fiber#3268

📚 Documentation

• Add detailed documentation for the templates guide by @grivera64 in 📚 Doc: Add detailed documentation for the templates guide gofiber/fiber#3113

🛠️ Maintenance

• Update benchmark-action to v1.20.3 by @gaby in v2: Update benchmark-action to v1.20.3 gofiber/fiber#3084
• Add CODEOWNERS file by @gaby in v2: Add CODEOWNERS file gofiber/fiber#3124
• Update dependencies by @gaby in 🧹 chore: Update dependencies gofiber/fiber#3254
• Add parallel benchmark for Next() by @gaby in 🧹 chore: Add parallel benchmark for Next() gofiber/fiber#3259

Full Changelog: gofiber/fiber@v2.52.5...v2.52.6

google.golang.org/grpc (v1.70.0 → v1.80.0) — GitHub Release

v1.80.0

Behavior Changes

• balancer: log a warning if a balancer is registered with uppercase letters, as balancer names should be lowercase. In a future release, balancer names will be treated as case-insensitive; see balancer: use case-sensitive balancer registries grpc/grpc-go#5288 for details. (balancer: introduce env flag for case-sensitive registry grpc/grpc-go#8837)
• xds: update resource error handling and re-resolution logic (xds: change cdsbalancer to use update from dependency manager grpc/grpc-go#8907)
  • Re-resolve all LOGICAL_DNS clusters simultaneously when re-resolution is requested.
  • Fail all in-flight RPCs immediately upon receipt of listener or route resource errors, instead of allowing them to complete.

Bug Fixes

• xds: support the LB policy configured in LOGICAL_DNS cluster resources instead of defaulting to pick_first. (xds/clusterresolver: implement gRFC A61 changes for LOGICAL_DNS clusters grpc/grpc-go#8733)
• credentials/tls: perform per-RPC authority validation against the leaf certificate instead of the entire peer certificate chain. (credentials/tls: verify overwritten authority against only leaf certificate grpc/grpc-go#8831)
• xds: enabling A76 ring hash endpoint keys no longer causes EDS resources with invalid proxy metadata to be NACKed when HTTP CONNECT (gRFC A86) is disabled. (xds: decouple A76 and A86 EDS metadata parsing grpc/grpc-go#8875)
• xds: validate that the sum of endpoint weights in a locality does not exceed the maximum uint32 value. (xds/xdsclient: add EDS sum of endpoint weights does not exceed MaxUint32 grpc/grpc-go#8899)
  • Special Thanks: @RAVEYUS
• xds: fix incorrect proto field access in the weighted round robin (WRR) configuration where blackout_period was used instead of weight_expiration_period. (xds: fix copy-paste bug in WeightExpirationPeriod config grpc/grpc-go#8915)
  • Special Thanks: @gregbarasch
• xds/rbac: handle addresses with ports in IP matchers. (xds/rbac: add additional handling for addresses with ports grpc/grpc-go#8990)

New Features

• ringhash: enable gRFC A76 (endpoint hash keys and request hash headers) by default. (ringhash: enable behaviors of A76 by default grpc/grpc-go#8922)

Performance Improvements

• credentials/alts: pool write buffers to reduce memory allocations and usage. (credentials/alts: Pool write buffers grpc/grpc-go#8919)
• grpc: enable the use of pooled write buffers for buffering HTTP/2 frame writes by default. This reduces memory usage when connections are idle. Use the WithSharedWriteBuffer dial option or the SharedWriteBuffer server

(truncated)

v1.79.3

Security

• server: fix an authorization bypass where malformed :path headers (missing the leading slash) could bypass path-based restricted "deny" rules in interceptors like grpc/authz. Any request with a non-canonical path is now immediately rejected with an Unimplemented error. (grpc: enforce strict path checking for incoming requests on the server grpc/grpc-go#8981)

v1.79.2

Bug Fixes

• stats: Prevent redundant error logging in health/ORCA producers by skipping stats/tracing processing when no stats handler is configured. (client: process RPC stats/tracing only when a handler is configured grpc/grpc-go#8874)

v1.79.1

Bug Fixes

• grpc: Remove the -dev suffix from the User-Agent header. (Change version to 1.79.1 grpc/grpc-go#8902)

v1.79.0

API Changes

• mem: Add experimental API SetDefaultBufferPool to change the default buffer pool. (mem: Allow overriding the default buffer pool. grpc/grpc-go#8806)
  • Special Thanks: @vanja-p
• experimental/stats: Update MetricsRecorder to require embedding the new UnimplementedMetricsRecorder (a no-op struct) in all implementations for forward compatibility. (stats/otel: a79 scaffolding to register an async gauge metric and api to record it- part 3 grpc/grpc-go#8780)

Behavior Changes

• balancer/weightedtarget: Remove handling of Addresses and only handle Endpoints in resolver updates. (xds: remove references to ResolverState.Addresses grpc/grpc-go#8841)

New Features

• experimental/stats: Add support for asynchronous gauge metrics through the new AsyncMetricReporter and RegisterAsyncReporter APIs. (stats/otel: a79 scaffolding to register an async gauge metric and api to record it- part 3 grpc/grpc-go#8780)
• pickfirst: Add support for weighted random shuffling of endpoints, as described in gRFC A113.
  • This is enabled by default, and can be turned off using the environment variable GRPC_EXPERIMENTAL_PF_WEIGHTED_SHUFFLING. (*: Implementation of weighted random shuffling (A113) grpc/grpc-go#8864)
• xds: Implement :authority rewriting, as specified in gRFC A81. (xds: implement :authority header rewriting in xds_cluster_impl LB policy (gRFC A81) grpc/grpc-go#8779)
• balancer/randomsubsetting: Implement the random_subsetting LB policy, as specified in gRFC A68. (balancer/randomsubsetting: Implementation of the random_subsetting LB policy grpc/grpc-go#8650)
  • Special Thanks: @marek-szews

Bug Fixes

• credentials/tls: Fix a bug where the port was not stripped from the authority override before validation. (credentials/tls: Strip port before validating authority override grpc/grpc-go#8726)
  • Special Thanks: @Atul1710
• xds/priority: Fix a bug causing delayed failover to lower-priority clusters when a higher-priority cluster is stuck in CONNECTING state. (priority: prevent init timer restarting when a child transitions from CONNECTING to CONNECTING grpc/grpc-go#8813)
• health: Fix a bug where health checks failed for clients using legacy compression options (WithDecompressor or RPCDecompressor). (grpc: initialize decompressor for health check streams grpc/grpc-go#8765)
  • Special Thanks: @sanki92
• transport: Fix an issue where the HTTP/2 server could skip header size checks when terminating a stream early. (transport: http2 server must validates header list size when early aborting stream grpc/grpc-go#8769)
  • Special Thanks: @joybestourous
• server: Propagate status detail headers, if availab

(truncated)

v1.78.0

Behavior Changes

• client: Align URL validation with Go 1.26+ to now reject target URLs with unbracketed colons in the hostname. (dns: drop test depending on invalid URL "dns://::1/foo.bar.com" grpc/grpc-go#8716)
  • Special Thanks: @neild
• transport/client : Return status code Unknown on malformed grpc-status. (transport/client: Return status code Unknown on malformed grpc-status grpc/grpc-go#8735)
• • xds/resolver:
  • Drop previous route resources and report an error when no matching virtual host is found.
  • Only log LDS/RDS configuration errors following a successful update and retain the last valid resource to prevent transient failures. (internal/xds: change xds_resolver to use dependency manager grpc/grpc-go#8711)

New Features

• stats/otel: Add backend service label to weighted round robin metrics as part of A89. (stats/otel: Add grpc.lb.backend_service label to wrr metrics (A89) grpc/grpc-go#8737)
• stats/otel: Add subchannel metrics (without the disconnection reason) to eventually replace the pickfirst metrics. (stats/otel: Add subchannel metrics (A94) grpc/grpc-go#8738)

(truncated — see source for full notes)

github.com/go-jose/go-jose/v3 (v3.0.3 → v3.0.5) — GitHub Release

v3.0.5

What's Changed

Fixes GHSA-78h2-9frx-2jm8

We recommend migrating from v3 to v4, and we will stop support v3 in the near future.

Full Changelog: go-jose/go-jose@v3.0.4...v3.0.5

v3.0.4

What's Changed

Backport fix for GHSA-c6gw-w398-hv78 CVE-2025-27144
go-jose/go-jose#174

Full Changelog: go-jose/go-jose@v3.0.3...v3.0.4

github.com/go-chi/chi/v5 (v5.0.10 → v5.2.5) — GitHub Release

v5.2.5

What's Changed

• Bump minimum Go to 1.22 and use new features by @JRaspass in Bump minimum Go to 1.22 and use new features go-chi/chi#1017
• Refactor graceful shutdown example by @mikereid1 in Refactor graceful shutdown example go-chi/chi#994
• Refactor to use atomic type by @cuiweixie in Refactor to use atomic type go-chi/chi#1019
• update reverseMethodMap in RegisterMethod by @cixel in update reverseMethodMap in RegisterMethod go-chi/chi#1022
• Update comment about min Go version by @JRaspass in Update comment about min Go version go-chi/chi#1023
• middleware: harden RedirectSlashes handler by @pkieltyka in middleware: harden RedirectSlashes handler go-chi/chi#1044
• Fix(middleware): Prevent double handler invocation in RouteHeaders with empty router by @mahanadh in Fix(middleware): Prevent double handler invocation in RouteHeaders with empty router go-chi/chi#1045

New Contributors

• @mikereid1 made their first contribution in Refactor graceful shutdown example go-chi/chi#994
• @cuiweixie made their first contribution in Refactor to use atomic type go-chi/chi#1019
• @cixel made their first contribution in update reverseMethodMap in RegisterMethod go-chi/chi#1022
• @mahanadh made their first contribution in Fix(middleware): Prevent double handler invocation in RouteHeaders with empty router go-chi/chi#1045

Full Changelog: go-chi/chi@v5.2.3...v5.2.5

v5.2.3

What's Changed

• Add pathvalue example to README and implement PathValue handler. by @catatsuy in Add pathvalue example to README and implement PathValue handler. go-chi/chi#985
• Allow multiple whitespace between method & pattern by @JRaspass in Allow multiple whitespace between method & pattern go-chi/chi#1013
• Avoid potential nil dereference by @ProjectMutilation in Avoid potential nil dereference go-chi/chi#1008
• feat(mux): support http.Request.Pattern in Go 1.23 by @Gusted in feat(mux): support http.Request.Pattern in Go 1.23 go-chi/chi#986
• fix/608 - Fix flaky Throttle middleware test by synchronizing token usage by @OtavioBernardes in fix/608 - Fix flaky Throttle middleware test by synchronizing token usage go-chi/chi#1016
• Optimize throttle middleware by avoiding unnecessary timer creation by @vasayxtx in Optimize throttle middleware by avoiding unnecessary timer creation go-chi/chi#1011
• Simplify wildcard replacement in route patterns by @srpvpn in Simplify wildcard replacement in route patterns go-chi/chi#1012
• Replace methodTypString func with reverseMethodMap by @JRaspass in Replace methodTypString func with reverseMethodMap go-chi/chi#1018

New Contributors

• @ProjectMutilation made their first contribution in Avoid potential nil dereference go-chi/chi#1008
• @Gusted made their first contribution in feat(mux): support http.Request.Pattern in Go 1.23 go-chi/chi#986
• @OtavioBernardes made their first contribution in fix/608 - Fix flaky Throttle middleware test by synchronizing token usage go-chi/chi#1016
• @srpvpn made their first contribution in Simplify wildcard replacement in route patterns go-chi/chi#1012

Full Changelog: go-chi/chi@v5.2.2...v5.2.3

v5.2.2

What's Changed

• Use strings.Cut in a few places by @JRaspass in Use strings.Cut in a few places go-chi/chi#971
• Fix non-constant format strings in t.Fatalf by @JRaspass in Fix non-constant format strings in t.Fatalf go-chi/chi#972
• Apply fieldalignment fixes to optimize struct memory layout by @pixel365 in Apply fieldalignment fixes to optimize struct memory layout go-chi/chi#974
• go 1.24 by @pkieltyka in go 1.24 go-chi/chi#977
• chore: delint ioutil usage by @costela in chore: delint ioutil usage go-chi/chi#962
• Fixed typo in Router interface definition by @mithileshgupta12 in Fixed typo in Router interface definition go-chi/chi#958
• Add support for TinyGo by @efraimbart in Add support for TinyGo go-chi/chi#978
• Exclude middleware/profiler.go in TinyGo, as there's no net/http/pprof pkg by @cxjava in Exclude middleware/profiler.go in TinyGo, as there's no net/http/pprof pkg go-chi/chi#982
• Make use of strings.Cut by @scop in Make use of strings.Cut go-chi/chi#1005
• Change install command format to code block by @sglkc in Change install command format to code block go-chi/chi#1001
• Correct documentation by @mrdomino in Correct documentation go-chi/chi#992

Security fix

• Fixes GHSA-vrw8-fxc6-2r93 - "Host Header Injection Leads to Open Redirect in RedirectSlashes" commit
  • a lower-severity Open Redirect that can't be exploited in browser or email client, as it requires manipulation of a Host header
  • reported by Anuraag Baishya, @anuraagbaishya. Thank you!

New Contributors

• @pixel365 made their first contribution in Apply fieldalignment fixes to optimize struct memory layout go-chi/chi#974
• @mithileshgupta12 made their first contribution in Fixed typo in Router interface definition go-chi/chi#958
• @efraimbart made their first contribution in Add support for TinyGo go-chi/chi#978
• @cxjava made their first contribution in Exclude middleware/profiler.go in TinyGo, as there's no net/http/pprof pkg go-chi/chi#982
• @sglkc made their first contribution in Change install command format to code block go-chi/chi#1001
• @mrdomi

(truncated)

v5.2.1

⚠️ Chi supports Go 1.20+

Starting this release, we will now support the four most recent major versions of Go. See go-chi/chi#963 for related discussion.

What's Changed

• Support the four most recent major versions of Go by @VojtechVitek in Support the four most recent major versions of Go go-chi/chi#969

Full Changelog: go-chi/chi@v5.2.0...v5.2.1

v5.2.0

What's Changed

• update credits section to link to goji license by @pkieltyka in update credits section to link to goji license go-chi/chi#944
• go 1.23 by @pkieltyka in go 1.23 go-chi/chi#945
• Make Context.RoutePattern() nil-safe by @gaiaz-iusipov in Make Context.RoutePattern() nil-safe go-chi/chi#927
• govet: Fix non-constant format string by @marcofranssen in govet: Fix non-constant format string go-chi/chi#952
• Add Find to Routes interface by @joeriddles in Add Find to Routes interface go-chi/chi#872
• Fix grammar error by @AntonC9018 in Fix grammar error go-chi/chi#917
• feat(): add CF-Connecting-IP by @n33pm in feat(): add CF-Connecting-IP go-chi/chi#908
  • Revert "feat(): add CF-Connecting-IP" by @VojtechVitek in Revert "feat(): add CF-Connecting-IP" go-chi/chi#966
• Fixed incorrect comment about routing by @jtams in Fixed incorrect comment about routing go-chi/chi#887
• Fix condition in TestRedirectSlashes by @tchssk in Fix condition in TestRedirectSlashes go-chi/chi#856
• middleware: Add strip prefix middleware by @m1k1o in middleware: Add strip prefix middleware go-chi/chi#875
• Set up go module for _examples/versions by @hongkuancn in Set up go module for _examples/versions go-chi/chi#948
• Ability to specify response HTTP status code for Throttle middleware by @vasayxtx in Ability to specify response HTTP status code for Throttle middleware go-chi/chi#571
• Support Content-Type headers with charset/boundary parameters by @GocaMaric in Support Content-Type headers with charset/boundary parameters go-chi/chi#880
• Fix Mux.Find not correctly handling nested routes by @joeriddles in Fix Mux.Find not correctly handling nested routes go-chi/chi#954

(truncated — see source for full notes)

github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream (v1.4.13 → v1.7.9) — Changelog

https://github.com/aws/aws-sdk-go-v2/blob/main/CHANGELOG.md

github.com/aws/aws-sdk-go-v2/service/s3 (v1.32.0 → v1.99.1) — Changelog

https://github.com/aws/aws-sdk-go-v2/blob/main/CHANGELOG.md

---

Generated by ADMS Sources: 4 GitHub Releases, 3 Changelogs, 2 not available.

[seberm-6]

Hey, sorry for the noise. This was caused by a bug in our automated dependency update system that incorrectly included upstream changelog content in PR comments, triggering notifications to external contributors. The feature flag has been turned off and we're working on a fix. Sorry about that again.